Archive for the ‘Reversing Firmwares’ Category

Reversing LifeSize 220 HD Video Conferencing Appliance Firmware

December 18, 2011 Leave a comment

I have recently taken an interest in finding vulnerabilities in embedded devices.   Since it is expensive to purchase some of these equipments to perform testing, it might be more cost effective to reverse the firmwares instead.
The product which I am reversing is the LifeSize Room 220.  LifeSize Room 220 is a HD video conference solution.

It looks like a fairly interesting product to learn more about reversing firmware.

More information about the product can be found here.

First, we will need to install all the prerequisites in Debian.
$ apt-get install pkgconfig libglib2.0-dev libcurl4-gnutls-dev
$ wget
$ tar xvfz zlib-1.2.5.tar.gz
$ ./configure && make && make install

Next, we will download the Lifesize firmware from a 3rd party’s website
$ wget

Next, we will downloading and compiling binwalk which will identify signatures of compressions/filesystems on the firmware
$ wget
$ ./configure
$ make && make install

$ binwalk LS_RM1_4.1.1_17.cmg

We will need to download cramfsswap which will convert the cramfs filesystem from big endian to little endian
$ apt-get install cramfsswap
$ cramfsswap LS_RM1_4.1.1_17.fs LS_RM1_4.1.1_17.cramfs

Next, we wil need to download firmware mod kit which contains uncramfs which can be used to extract the cramfs filesytem
$ mkdir /tmp1/image

$ apt-get install subversion
$ svn checkout firmware-mod-kit-read-only
$ cd firmware-mod-kit-read-only/trunk/src/uncramfs
$ make
$ ./uncramfs /tmp/cramfs /tmp1/LS_RM1_4.1.1_17.cramfs

In order to properly emulate the device, we need to identify the processor type.  We can do that by running the file command against /bin/busybox.

Having identified the processor type as PowerPC, we will then download and compile Qemu which will be used for emulation.
$ wget
$ tar xvfz qemu-1.0.tar.gz
$ ./configure -static
$ make && make install

$ cp /tmp1/qemu-1.0/ppc-linux-user/qemu-ppc /tmp1/image
$ chroot . ./qemu-ppc ./bin/ls

We have successfully run /bin/ls command from the firmware image